search

Place1 / wg-access-server

An all-in-one WireGuard VPN solution with a web ui for connecting devices
MIT License
1.78k stars 223 forks source link

DNS leaked? #113

Open alexlii1971 opened 3 years ago

alexlii1971 commented 3 years ago

Hello,

I am fresh with wg-access-server, and I run the following sample:

`export WG_ADMIN_PASSWORD="example" export WG_WIREGUARD_PRIVATE_KEY="$(wg genkey)"

docker run \ -it \ --rm \ --cap-add NET_ADMIN \ --device /dev/net/tun:/dev/net/tun \ -v wg-access-server-data:/data \ -e "WG_ADMIN_PASSWORD=$WG_ADMIN_PASSWORD" \ -e "WG_WIREGUARD_PRIVATE_KEY=$WG_WIREGUARD_PRIVATE_KEY" \ -p 8000:8000/tcp \ -p 51820:51820/udp \ place1/wg-access-server`

questions please? 1# so, the default admin password will be "example"? 2#After test at https://www.dnsleaktest.com/results.html, it will show as the screenshot:http://prntscr.com/10djcfs Does that mean DNS leaked please?

3# I checked the document at https://place1.github.io/wg-access-server/2-configuration/, but I am still confused by how to config the setting by command line, for example, how should I use WG_ADMIN_PASSWORD to reset admin password? would you please write a sample command line upon those configure?

Thanks and have a nice day.

talesam commented 3 years ago

Use docker-compose

https://place1.github.io/wg-access-server/deployment/2-docker-compose/

alexlii1971 commented 3 years ago

Do you mean that the method of docker-composer prevent dns leaking?

If yes, I am glad to have a try.

Thanks

alexlii1971 commented 3 years ago

https://place1.github.io/wg-access-server/deployment/2-docker-compose/

I did a try, unfortunately, this configure file does not work:


version: "3.0"
services:
  wg-access-server:
    # to build the docker image from the source
    # build:
    #   dockerfile: Dockerfile
    #   context: .
    image: place1/wg-access-server
    container_name: wg-access-server
    cap_add:
      - NET_ADMIN
    volumes:
      - "wg-access-server-data:/data"
    #   - "./config.yaml:/config.yaml" # if you have a custom config file
    environment:
      - "WG_ADMIN_USERNAME=admin"
      - "WG_ADMIN_PASSWORD=${WG_ADMIN_PASSWORD:?\n\nplease set the WG_ADMIN_PASSWORD environment variable:\n    export WG_ADMIN_PASSWORD=example\n}"
      - "WG_WIREGUARD_PRIVATE_KEY=${WG_WIREGUARD_PRIVATE_KEY:?\n\nplease set the WG_WIREGUARD_PRIVATE_KEY environment variable:\n    export WG_WIREGUARD_PRIVATE_KEY=$(wg genkey)\n}"
    ports:
      - "8000:8000/tcp"
      - "51820:51820/udp"
    devices:
      - "/dev/net/tun:/dev/net/tun"

# shared volumes with the host
volumes:
  wg-access-server-data:
    driver: local
talesam commented 3 years ago

Did you set these variables? 

"WG_ADMIN_PASSWORD=PASSWORD_ADMIN"
"WG_WIREGUARD_PRIVATE_KEY=KEY_PRIVATE"
alexlii1971 commented 3 years ago

Sorry, no, I can set custom PASSWORD_ADMIN, but how should I set WG_WIREGUARD_PRIVATE_KEY=KEY_PRIVATE please?

Thanks

talesam commented 3 years ago

It's in the documentation...

wg genkey https://www.wireguard.com/quickstart/#key-generation

You need to install the wireguard-tools package to generate it, otherwise you will not have access to the command.

Or access the container to generate it inside and copy it, with:

docker exec -it ID_CONTEINER sh

alexlii1971 commented 3 years ago

Thanks.

I can make it runing and working if I do not use docker and compose.

But I am trying to use the method of docker-compose, and I fount it is not smooth in install practise, and here is how I did, and would like let you know:

1.# Portainer install on Fresh server. 2.# Use this file at https://github.com/Place1/wg-access-server/blob/master/docker-compose.yml, and there will issue, please check the screenshot: https://prnt.sc/10h4ikg

Please note: docker container is not created yet, so I could not get into container shell.

3# Follow your install steps at https://github.com/Place1/wg-access-server#running-with-docker-compose, and back to server SSH shell, input:

export WG_ADMIN_PASSWORD="example"
export WG_WIREGUARD_PRIVATE_KEY="$(wg genkey)"

docker-compose up

and it will ask to install wireguard OUTof docker...

So, it is actually hard to deploy project by docker-compose, do you get what I mean?

Thanks and have a nice day.

talesam commented 3 years ago

copy the code as it is and paste it into your docker-compose.yml

version: "3.0"
services:
  wg-access-server:
    image: place1/wg-access-server
    container_name: wg-access-server
    cap_add:
      - NET_ADMIN
    volumes:
      - "wg-access-server-data:/data"
    environment:
      - "WG_ADMIN_USERNAME=admin"
      - "WG_ADMIN_PASSWORD=123456"
      - "WG_WIREGUARD_PRIVATE_KEY=EN9vu3In7aydLuAgrMpwVeGMiMbRhibl05EWxlN9cWk="
    ports:
      - "8000:8000/tcp"
      - "51820:51820/udp"
    devices:
      - "/dev/net/tun:/dev/net/tun"

Run: docker-compose up -d

Release the ports, 8000/tcp and 51820/udp on your firewall

alexlii1971 commented 3 years ago

copy the code as it is and paste it into your docker-compose.yml

version: "3.0"
services:
  wg-access-server:
    image: place1/wg-access-server
    container_name: wg-access-server
    cap_add:
      - NET_ADMIN
    volumes:
      - "wg-access-server-data:/data"
    environment:
      - "WG_ADMIN_USERNAME=admin"
      - "WG_ADMIN_PASSWORD=123456"
      - "WG_WIREGUARD_PRIVATE_KEY=EN9vu3In7aydLuAgrMpwVeGMiMbRhibl05EWxlN9cWk="
    ports:
      - "8000:8000/tcp"
      - "51820:51820/udp"
    devices:
      - "/dev/net/tun:/dev/net/tun"

Hi,

it will show error:


Deployment error
Named volume "wg-access-server-data:/data:rw" is used in service "wg-access-server" but no declaration was found in the volumes section.

Screenshot:

http://prntscr.com/10ha2rt

by the way, portainer seems use 8000 port by default at https://documentation.portainer.io/v2.0/deploy/ceinstalldocker/

Thanks

talesam commented 3 years ago

I never used the porteine, it runs directly at the terminal

alexlii1971 commented 3 years ago

I see.

It would be great if the install tutorial show the process Step by Step.

alexlii1971 commented 3 years ago

So, please let me know whether it is right for the following steps:

1#install wireguard out of docker 2#Generate keys 3#Create docker-compose by using your docker-compose.yml 4# docker-compose up? 5# access web-ip:8000

am I right please?

alexlii1971 commented 3 years ago

I never used the porteine, it runs directly at the terminal

I tried run directly at the terminal, and only the docker method is working at https://github.com/Place1/wg-access-server#running-with-docker

and all of the method of Docker-Compose not work, please check the screenshot: http://prntscr.com/10hffs3

Here are what I test docker-compose.ymls:

https://place1.github.io/wg-access-server/deployment/2-docker-compose/ https://github.com/Place1/wg-access-server/issues/113#issuecomment-793930760 https://github.com/Place1/wg-access-server/blob/master/docker-compose.yml

but the DNS will be leaked at https://dnsleak.com/

Thanks

alexlii1971 commented 3 years ago

our WireGuard server was blocked, and we lost connection to server, Because I found there is dns leak.

Solution: self-hosted resolver with Unbound Prevent DNS Leaks, and pleae refer to this repository and understand what I mean at https://github.com/complexorganizations/wireguard-manager, it is perfect to prevent DNS leak.

So, please integrate self-hosted resolver with Unbound Prevent DNS leak.

Thank

alexlii1971 commented 3 years ago

I never used the porteine, it runs directly at the terminal

Hello,

I used the following docker-compose.yml, and it works now:

 `version: "3.0"
services:
  wg-access-server:
    # to build the docker image from the source
    # build:
    #   dockerfile: Dockerfile
    #   context: .
    image: place1/wg-access-server
    container_name: wg-access-server
    cap_add:
      - NET_ADMIN
    volumes:
      - "wg-access-server-data:/data"
    #   - "./config.yaml:/config.yaml" # if you have a custom config file
    environment:
      - "WG_ADMIN_USERNAME=admin"
      - "WG_ADMIN_PASSWORD=123456"
      - "WG_WIREGUARD_PRIVATE_KEY=gA8ZXOqbOtmrx1Fl0wC+HctlAWkyuZBnY61dlllV6Vs="
      - "WG_DNS_ENABLED=true"
ports:
  - "8000:8000/tcp"
  - "51820:51820/udp"
devices:
  - "/dev/net/tun:/dev/net/tun"
# shared volumes with the host
volumes:
  wg-access-server-data:
    driver: local`

According to your official document at https://place1.github.io/wg-access-server/2-configuration/, if WG_DNS_ENABLED is set be true, it will prevent dns leak, but acutally it will show DNS leaked, please check the screenshot: https://prnt.sc/10kima1

if I used this repository at https://github.com/alexlii1971/wireguard-manager, it will perfect to prevent DNS leak.

So, I tried to touch resolv.conf to change DNS:

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

echo nameserver 1.1.1.1 | sudo tee /etc/resolv.conf

But it does not work.

Would you please let me know how to enhance wg-access-server configure to prevent DNS leak please? or Should I run sudo apt remove -y dnsmasq before wg-access-server installed?

Anyway, I would like leave the demo server for your check: http://172.105.199.120:8000/

Thanks